Joke Collection Website - Public benefit messages - 10 common postures for password reset for any user

10 common postures for password reset for any user

Cause: The verification code obtained when retrieving the password lacks a time limit. It only determines whether it is correct, but does not determine whether the verification code has expired. That is to say, the timeliness of the verification code is very long (in a very long time will not change for a period of time)

Test method: Find the real verification code through enumeration and enter the verification code to complete the verification

Case: In the following case, after clicking to obtain the mobile phone verification code, Response The mobile phone verification code was captured directly in the bag.

When this verification code is not invalid and the verification code is 4 digits, directly blast and look at the return length or content of the package to find the correct verification code. The return packet here is 0, which means correct

Summary

It is very rare now that the verification code does not expire, and the number of digits in the verification code is rarely simple. 4-digit verification code. Now most of them are like this: a 6-digit verification code and it is valid within 15 minutes. In this case, the possibility of explosion is very low.

Get the verification code directly in the Response (return package)

Case:

Another case:

Users of this case The name is encrypted.

In fact, in most cases we do not need to know the encryption algorithm. For example, in the example here, the encrypted value of liuyy is 80e688602c4b11e66320c421e3b71ef2, then we can directly use this keyCode parameter.

The steps are the same, enter our username and the verification code we received, and then replace our keycode with liuyy’s keycode, so that we can reset liuyy’s password. (The reason for the vulnerability is still to determine whether the verification code is correct, but not to determine whether the verification code matches the user.)

Summary

I have never encountered this situation before, and I have learned from it. , I will test this when retrieving my password in the future. Now it seems how convenient it is for white hats to have 2 mobile phone numbers.

How to obtain the keyCode of other users in Case 2? Here, go through the process of retrieving the password normally, and then capture the packet and find the encrypted keyCode in the data packet, so that you can reset the password of any user.

Case:

Click to retrieve the password. First we enter zhangwei (we don’t know zhangwei’s mobile phone number), then click to get the verification code. At this time, change the mobile phone number to our own number, enter our own number and verification code, successfully jump to the password reset page, and the password is reset successfully.

Case:

What we do here is to change 0 to 1. We can use tools to modify the return package. We change 0 to 1, forward the package, and then view the page. Successfully jump to the password change page, enter the new password to change the password of user 13888888888

Summary

who_jeff once shared such a similar case, he was on an Android When conducting a packet capture test on the app, I directly modified the return packet to deceive the local app client and successfully reset the password of any user.

Case:

Summary

This vulnerability does not need to follow the normal process. Here, just fill in the link to set a new password, and then use this link to Directly reset any user's password.

Case:

Summary

The key here is to replace the target mobile phone number when resetting the password in the last step. This is actually quite violent. Take If you go to this link, you can unconditionally reset the password of any user in batches. Here, you can use burp to enumerate the mphone parameters of mobile phone numbers in batches.

Case:

Summary

This kind of vulnerability is also relatively violent and can be used to reset the passwords of any user in large quantities by enumerating the value of the ID. Because there is no need for a user name, you only need to know the ID value, which is more harmful.

Case:

Summary

Key points: Cookies can be obtained by designated users. When trying to use other people’s accounts to retrieve passwords, you can capture the data packets. Extract the cookie value from it, and then use this cookie value to reset the password of the specified user.

Case:

Summary

The last one is a little more complicated. You have to find the hidden parameter: loginId and then modify the data packet to dig holes in the future. , pay more attention to these.